On 1/14/19 12:56 PM, Naveen Neelakanta wrote: > Hi All, > > Is it possible to just configure the Source Nat and Destination nat > rules without giving any zone informations or interface information and > just configure IPs address? > > Also see that if DNAT Rules is configured, SNAT rules in snat file is > being skipped, however, the masquerade is happening with the interface > ip, but I want to change the source ip from a NAT pool that is configured. >
When DNAT is applied on an incoming flow, SNAT rules are ignored because the respose packet's source IP *must be* the destination IP in the incoming packet. > snat file: > SNAT(10.24.19.235)192.168.7.50/32 eth2:1.1.1.1/32 > rules file: > DNAT lan inet:2.2.2.2 0 - - 1.1.1.1 > > When I get the rule, I am not sure it belongs to which zone, i just get > the ipaddress and interface name. I don't understand why you cannot determine the zone. The zone *must* be known for Shorewall to generate the companion ACCEPT rule (remember that Shorewall DNAT rules generate two ip[6]tables rules: a DNAT rule in the nat table and an ACCEPT rule in the filter table). -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
